Malware Analysis Report

2024-09-11 13:18

Sample ID 240613-3c3c3avepb
Target 8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe
SHA256 2ed91f478d342a513e4f6c3198c75b8d70663858628da7dc071f34cc8bd61dbf
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ed91f478d342a513e4f6c3198c75b8d70663858628da7dc071f34cc8bd61dbf

Threat Level: Known bad

The file 8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Sets file execution options in registry

Drops file in Drivers directory

Modifies Installed Components in the registry

Windows security modification

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:22

Reported

2024-06-13 23:25

Platform

win7-20240220-en

Max time kernel

149s

Max time network

120s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858} C:\Windows\SysWOW64\rmass.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe C:\Windows\SysWOW64\rmass.exe
PID 2784 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe C:\Windows\SysWOW64\rmass.exe
PID 2784 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe C:\Windows\SysWOW64\rmass.exe
PID 2784 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe C:\Windows\SysWOW64\rmass.exe
PID 2864 wrote to memory of 436 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\system32\winlogon.exe
PID 2864 wrote to memory of 1092 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 2580 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 2864 wrote to memory of 2580 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 2864 wrote to memory of 2580 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 2864 wrote to memory of 2580 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\SysWOW64\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 cermylhyw.nu udp
US 8.8.8.8:53 cermylhyw.nu udp

Files

\Windows\SysWOW64\rmass.exe

MD5 c832e0e17cbac86b4bccac75feb915e3
SHA1 8a3b21f56dbe663024c5ff3d4563061768024005
SHA256 f71a62336813d0ec2e6561ba220150010733bb8eb2518e87d0b28fd19f99d590
SHA512 c7175fcd9615e6aa86eab7afc05b9478fa3f4681d091a477672feee96362fe799661b37f40b0bc940149ad4e35bb72f1214aa55442d0208b2b76f8f216b12aad

memory/2784-7-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

C:\Windows\SysWOW64\ntdbg.exe

MD5 39c853f6b5e6fb26110781d1be690b91
SHA1 5431e2077e559595311a4c6271bb1dec9e5a33ac
SHA256 4efff4979f966cf63d69a9746b314354748344689345b3d6785a9a5326b0b37e
SHA512 f1168a206816045350530c773fa8437cd7415f9081c5e3e8dad36d9e34dbd7d1d6ef5475591b1685068953616ef6d465cfb8800a90de4dfd3b9a39143324a399

C:\Windows\SysWOW64\ahuy.exe

MD5 7275a13614e96ae91ee5956c9ff9cfef
SHA1 ee88021b4688a17f76c60819ac0c612867e56f17
SHA256 efe195c641c42185f292bc4b4bede2d29f61fa04767664a75d98336a11a1458b
SHA512 ebc0ef580b4af7a6cb1ba02926491a0b479a6ef240b27db948afe65cbd3f7449a4b1bf6ab6abccff7f05bac83b6a37f61581f7d974184c3e8ade6346ad2d5eac

memory/2864-53-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2580-54-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 b10b13206b0f2cf3968050072f6979bf
SHA1 699db21ba9cecf3f13ac3d76e22cfa41aa94da80
SHA256 0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4
SHA512 d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:22

Reported

2024-06-13 23:25

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

52s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe C:\Windows\SysWOW64\rmass.exe
PID 2100 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe C:\Windows\SysWOW64\rmass.exe
PID 2100 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe C:\Windows\SysWOW64\rmass.exe
PID 5112 wrote to memory of 1316 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 5112 wrote to memory of 1316 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 5112 wrote to memory of 1316 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 5112 wrote to memory of 624 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\system32\winlogon.exe
PID 5112 wrote to memory of 3508 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8fb0ad31baed94851ee5478ff397fb30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\SysWOW64\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 mggggxghqgxsy.tk udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 mggggxghqgxsy.tk udp

Files

C:\Windows\SysWOW64\rmass.exe

MD5 c832e0e17cbac86b4bccac75feb915e3
SHA1 8a3b21f56dbe663024c5ff3d4563061768024005
SHA256 f71a62336813d0ec2e6561ba220150010733bb8eb2518e87d0b28fd19f99d590
SHA512 c7175fcd9615e6aa86eab7afc05b9478fa3f4681d091a477672feee96362fe799661b37f40b0bc940149ad4e35bb72f1214aa55442d0208b2b76f8f216b12aad

memory/2100-3-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ahuy.exe

MD5 cbffac4e08aefc4b2b187fb3e1f947af
SHA1 04a3facb953c39e4bbe1d23a07f20492d838bac5
SHA256 8e39bc456d0347c2ee1ea2d3a485308c41101246378b513eb7a8e2fce263b2da
SHA512 7906adb66774c12a9e3f31c48b77fcfa48af8fc4be9ce70ca908ed56e2a2853fdf7e8bd14e2a3e1fbd887dd196d01dbd039cf2fd1fc18e883d2a4d09acf0f44a

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

C:\Windows\SysWOW64\ntdbg.exe

MD5 b2d94510e6b81891661a5288ca3142c0
SHA1 9e8edeea3f936cc5b05d31c7b0abc1c323244f9f
SHA256 e8379200678a4f816e9b917386b5e66318ab48e7b4fe3562ecbe93328af673f0
SHA512 36b80ed4db3e5f8c48dbd4cf1fd6ab493e4444c738a8f8f8887845e84bbb3f8a697d72fb66d04a8bc589b7302a0d5565b32e81e5baf16c8527a8708b937e2b51

memory/5112-47-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1316-48-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 6f47b62de25d1745e296a06b3f98ed19
SHA1 a688bb35a4c8a5cc198985d624a1b5a6ac5b9f6f
SHA256 15c7218eb9cef5fa0573db657b15ce3a5f0e0609f1166df8098ca7152df505b4
SHA512 dea26fff8060f44bf20fe4fff2ecbacf428727f10c0f5886fb4813e28fce9cbc3d088337c84edd9857b18514c83f1bb1cf0f51518aaecef09f30e921f4d758d7